UPDATE: Yes, updating to 24.03 and Acme 0.8_1 seems to have resolved this problem. I didn't try upgrading Acme on its own first.

@oguruma

When you renew manually, by clicking on the

fff4a4e1-f2ba-4d77-a65d-108b5f195d92-image.png

button, after a while (DNS Sleep setting) you will see a green box/recap.
Succes at the end ?

When you check, for example here : System > Certificates > Certificates did you find the cert with new start and end dates ?

You see the same info here :

222f4321-96d9-4d22-ab91-3aac33350769-image.png

@cemsonmez the issue solved. Almost nothing has been done to fix this. It is all about dns updates. I have waited some time It updated and now certificate is issued.

Resolved

Found some documentation on Let's Encrypt (I really though the CA change would be handled automatically, apparently not)

What I did was grab the pem they have listed, create a new CA with the same name, paste the pem and save the new CA

The chain "Certificates" immediately changed to the new CA removing the count of 1 from the Sept 2024 soon to expire CA and assigning it to the new one (likely would have been fine to just replace the cert pem data in the original and update it.)

Screen Shot 2024-08-16 at 10.49.12 AM.png

@thezfunk

Your nearly done, I guess.
You saw it : https://github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_namecheap
And of course the namecheap acme.sh documentation.

Fill in the domain name, like "pfsense.domain.tld" (you rent domain.tld - right).
The the API key
Get the user name.

My advice : set DNS Sleep to "120" seconds.
And you should be good.

For namecheap stories, use the forum search button, and search in the pfsense acme.sh sub forum.
Not this one, as for some reason you posted here but the question isn't "General" at all, and acme has its own forum dedicated to the acme.sh package - let me highlight it for you :

a77c8154-d11f-4a80-97da-41bbddf6913f-image.png

@Hyperion said in Where to DL acme cert manually?:

I have no internet connection on that Netgate and want to download

Download without an Internet connection ....

@Hyperion said in Where to DL acme cert manually?:

and install the packages manually.

Experts have tried this.
Guess they haven't a connection neither : they never came to post here on the forum about their finding.

The (FreeBSD) build in pkg, the packet manager, could be used to install FreeBSD packages, but pfSense package : you need the GUI. I hope to be wrong of course.

@Hyperion said in Where to DL acme cert manually?:

Does anyone know a URL source where I can download the needed certificates and install them manually via Terminal/Shell within pfSense

Can't you just connect to the GUI and install the cert ?
pfSense is GUI driven.

Hi, I went through several rounds of testing and I beleive that this is a bug somewhere in pfsense, stunnel.

Currrently:

The web interface of pfsense uses the sames cetificate without issues Stunnel with the same certificate fails on pfsense (Error resolving "r11.o.lencr.org": Address family for nodename not supported (EAI_ADDRFAMILY)) Installing stunnel 5.68 on a Debian 12.5 the same certificate (pem file compied from pfsense) works wihtout issues.

@bmarkel
This did help a little. After saving the changes and attempting to Issue/Renew again the screen refreshed with the ACME certbot messages giving me a partial error. Trying to simplify the issue I created a fresh certificate using Let's Encrypt Staging but the errors have been similar.

@aes4096 said in ACME IP address or domain:

I can use the DNS method or purchase a Wildcard certificate with subdomain protection, which is more expensive.

If you can use a DNS Method you can ask a wildcard certificate.
Letsencrypt will still be free of use.

If you own( = rent) a domain name, you control the domain. You are the only one being able to create sub domains.
I can proof that : try creating aes4096.microsoft.com : good luck ^^

@jcubillo

Oh ... great. I guess they want to stop being the registrar for 'everybody'.

@lucas1

You've locked yourself up in a corner.
For example : I don't recall how things were done several version ago, and I'm pretty sure very few will be able to do so.

You can't upgrade the acme package, as you can only install/upgrade pfSense packages if you use the latest pfSense version : that 2.7.2. pfSense 2.5.0 was from 2019 / 2020 ?

The thing is : Cloudflare can update (change) the way the DNS api works.
Accordingly, the acme.sh pfSense will get updated also ....

So, get the current pfSense version first. Install the latest acme pfSense package. Then try again.

@lucas1 said in Failure updating ACME certificate - 2:

Please check log file for more details: /tmp/acme/mydomain/acme_issuecert.log

You've checked ?

@MordyT said in ACME client can't check for DNS entries due to Error 60:

url='https://cloudflare-dns.com'

exist ??

Set DNS-Sleep to at least :

c4df8f8d-832c-486f-838b-61e5891e091b-image.png

@dmorda I also had problems renewing with Godaddy API and the only solution I found was moving to Cloudflare where renewals are working perfectly.

I think I had the same issue with ACME - LE and DA dns check. See this topic
This one was also solved with the update/reverted code.
Thank you for the quick fix release @jimp

Noticed there was a new version today 0.8_1 with changes reverted from 0.8 regarding failing challenge checks that were working previously.

Installed this update, changed the dns wait to 60 seconds again and tested the certificate renewal.
Worked like a charm again on the first try.